Insert certificate into agent for existing key?

Brian Candler b.candler at pobox.com
Sun Feb 7 23:09:41 AEDT 2021


Does the ssh-agent protocol allow adding a certificate for a private key 
which it already has? The idea is to issue a certificate for a key the 
agent already has, to avoid the entropy drain of generating a new key.

https://tools.ietf.org/html/draft-miller-ssh-agent-04 shows private 
keys, and doesn't mention certificates at all.  However it does say:

"Typically only the public components of any keys supported on a 
hardware token will be loaded into an agent" - which suggests that the 
SSH_AGENTC_ADD_IDENTITY message might be able to carry only the public 
parts of a key.

https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys 
defines new *public* key formats for certificates - they don't contain 
the private key components as far as I can see.

However, looking at the Go ssh-agent client, it inserts a private key 
and certificate in a single SSH_AGENTC_ADD_IDENTITY or 
SSH_AGENTC_ADD_ID_CONSTRAINED message:

https://github.com/golang/crypto/blob/master/ssh/agent/client.go#L664

(and I haven't been able to find documentation which defines that 
private key + certificate message format).

So basically: can I send just a certificate to ssh-agent?  And if so, 
how is that done?

Thanks,

Brian.



More information about the openssh-unix-dev mailing list